This function should be internal, being exposed only via functions like
mbedtls_x509write_crt_set_subject_name().
Signed-off-by: David Horstmann <david.horstmann@arm.com>
"Key generation method" was misleading since it also applies to key
derivation. Change "key generation" to "key production", which we aren't
using yet and has roughly the right intuition. Change "method" to
"parameters" which there seems to be a slight preference for. Discussion
thread: https://github.com/Mbed-TLS/mbedtls/pull/8815#discussion_r1486524295
Identifiers renamed:
psa_key_generation_method_t → psa_key_production_parameters_t
psa_key_generation_method_s → psa_key_production_parameters_s
PSA_KEY_GENERATION_METHOD_INIT → PSA_KEY_PRODUCTION_PARAMETERS_INIT
method → params
method_data_length → params_data_length
default_method → default_production_parameters
psa_key_generation_method_is_default → psa_key_production_parameters_are_default
setup_key_generation_method → setup_key_production_parameters
key_generation_method_init → key_production_parameters_init
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When generated by exp_mod, RR has enough limbs to be passed as a
parameter to core functions. If it is received from the caller, it might
be of any length.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Return MBEDTLS_ERR_PEM_PASSWORD_MISMATCH instead of
MBEDTLS_ERR_PEM_BAD_INPUT_DATA in case of errors.
This commit also fix related failures in test pkparse and
pem test suites.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
When exporting a key, MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE should not happen.
This error indicates that the curve is not supported, but that would prevent
the creation of the key.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Removing E_core and returning early achieves the same and is simpler
(easier to read and maintain).
Signed-off-by: Janos Follath <janos.follath@arm.com>
memcpy() has the advantage of making the reader stop and arguably signal
that the shallow copy here is intentional. But that hinges on having the
right amount of & and the right size. An assignment is clearer and less
risky.
Signed-off-by: Janos Follath <janos.follath@arm.com>
- We have moved to fixed window exponentiation and the algorithm used is
properly documented and referenced in core already, no need for
duplication.
- A comment on mbedtls_mpi_copy states that mbedtls_mpi_exp_mod relies
on it not to shrink X. This is not the case anymore, however we
should probably still state that some functions might rely on this
property as we don't know it for sure and it is safer to keep it that
way.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Now that we have padding verification after decryption and since
this can be used to validate the password as well there is no
need to parse ASN1 content any more, so we can simplify/remove
that dependency.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Fix the workaround for the weirdness of mbedtls_ecp_write_key(), which
assumed a Weierstrass key.
This fixes the Montgomery private key parse tests in test_suite_pkparse.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In the driver wrapper for psa_generate_key() and psa_generate_key_ext():
* Invoke the built-in code if using a non-default method, even if there
might be an accelerator. This is ok because we only support non-default
methods for RSA and we don't support driver-only RSA, therefore a
non-default method will always have built-in code behind it.
* Return NOT_SUPPORTED if trying to use a non-default method with an opaque
driver.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Instead of passing the size of the whole structure, just pass the data
length and let the implementation worry about adding the size of the
structure. The intent with passing the structure size was to allow
the client code in a client-server implementation to know nothing
about the structure and just copy the bytes to the server. But that was not
really a useful consideration since the application has to know the
structure layout, so it has to be available in the client implementation's
headers. Passing the method data length makes life simpler for everyone by
not having to worry about possible padding at the end of the structure, and
removes a potential error condition
(method_length < sizeof(psa_key_generation_method_t)).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The two algorithms are not equivalent. The original bignum
exponentiation was a sliding window algorithm. The one in
mpi_core_exp_mod uses a fixed window approach. This change is
intentional. We don't want to maintain two algorithms and decided to
keep the fixed window algorithm.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Implement and unit-test the new functions psa_generate_key_ext() and
psa_key_derivation_output_key_ext(), only for the default method.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This means we can hold the mutex around the call to reserve_free_key_slot
in get_and_lock_key_slot, avoiding inefficient rework.
(Changes to get_and_lock_key_slot are not in scope in this PR)
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
Hold the mutex for the entirety of the call.
We need the mutex for the wipe, also hold it for aborting driver transactions as this
may have side effects.
We can't use the macros here as this function returns void.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
Hold mutex for the entirety of the call.
We are writing to storage and writing to the slot state here.
If we didn't keep the mutex for the whole duration then we may end up with
another thread seeing that a persistent key is in storage before
our slot is set to FULL; this would be unlinearizable behaviour.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
Everything needs to be done under the mutex here, we operate directly on FULL/EMPTY
slots, and we can't let key_slots_initialized change before we operate on slots.
Refactor to use an exit label.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
